Trojan.DownLoader4.20405

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\QuickDownload Service] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\QuickDownload Agent] 'Start' = '00000002'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe' = '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe:*:Enabled:QuickDownloadSvc'

Creates and executes the following:

%PROGRAM_FILES%\QuickDownloadService\sc.exe DELETE "QuickDownload Agent" DELETE "QuickDownload Service" STOP "QuickDownload Agent" STOP "QuickDownload Service"
%PROGRAM_FILES%\QuickDownloadService\qdownagent.exe
%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe
%PROGRAM_FILES%\QuickDownloadService\ElevationWrap.exe
<Current directory>\ElevationWrap.exe
%PROGRAM_FILES%\QuickDownloadService\StopMegaService.exe

Executes the following:

<SYSTEM32>\sc.exe FAILURE "QuickDownload Agent" reset= 180 actions= "restart/180000/restart/180000/restart/180000"
<SYSTEM32>\sc.exe start "QuickDownload Service"
<SYSTEM32>\sc.exe start "QuickDownload Agent"
<SYSTEM32>\sc.exe description "QuickDownload Service" "ДБЕЩГч ґЩїо·ОµеЅГ ґЩїо·Оµе јУµµ Зв»уА» А§ЗС јєсЅєё¦ Б¦°шЗХґПґЩ."
<SYSTEM32>\sc.exe description "QuickDownload Agent" "ДБЕЩГч ґЩїо·ОµеЅГ ґЩїо·Оµе јУµµ Зв»уА» А§ЗС јєсЅєё¦ Б¦°шЗХґПґЩ."
<SYSTEM32>\sc.exe FAILURE "QuickDownload Service" reset= 180 actions= "restart/180000/restart/180000/restart/180000"
<SYSTEM32>\netsh.exe firewall add portopening TCP 2869 "UPnP TCP"
<SYSTEM32>\netsh.exe firewall add allowedprogram "%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe" "QuickDownloadSvc" ENABLE
<SYSTEM32>\wscript.exe "%PROGRAM_FILES%\QuickDownloadService\Firewall.vbs"
<SYSTEM32>\sc.exe create "QuickDownload Service" binPath= "%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe" start= auto error= ignore
<SYSTEM32>\sc.exe create "QuickDownload Agent" binPath= "%PROGRAM_FILES%\QuickDownloadService\qdownagent.exe" start= auto error= ignore
<SYSTEM32>\netsh.exe firewall add portopening UDP 1900 "UPnP UDP"

Modifies file system :

Creates the following files:

%PROGRAM_FILES%\QuickDownloadService\conf\is-PN9UH.tmp
%PROGRAM_FILES%\QuickDownloadService\unins000.dat
%PROGRAM_FILES%\QuickDownloadService\conf\data3.cfg
%PROGRAM_FILES%\QuickDownloadService\is-JVU98.tmp
%PROGRAM_FILES%\QuickDownloadService\is-T3U5L.tmp
%PROGRAM_FILES%\QuickDownloadService\is-6GCPT.tmp
%PROGRAM_FILES%\QuickDownloadService\conf\data4.cfg
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\maxuploadspeed[1].txt
%PROGRAM_FILES%\QuickDownloadService\maxuploadspeed.txt
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\wpad[1].dat
%PROGRAM_FILES%\QuickDownloadService\conf\data6.tmp
%PROGRAM_FILES%\QuickDownloadService\conf\data2.tmp
%PROGRAM_FILES%\QuickDownloadService\conf\data2.cfg
%PROGRAM_FILES%\QuickDownloadService\is-IOR6S.tmp
%PROGRAM_FILES%\QuickDownloadService\is-DQRQB.tmp
%PROGRAM_FILES%\QuickDownloadService\is-1NI3U.tmp
%TEMP%\is-GCVPC.tmp\<Virus name>.tmp
%TEMP%\is-U20L8.tmp\_isetup\_RegDLL.tmp
%TEMP%\is-U20L8.tmp\_isetup\_shfoldr.dll
%PROGRAM_FILES%\QuickDownloadService\is-3K9T5.tmp
<Current directory>\is-1J3N2.tmp
%PROGRAM_FILES%\QuickDownloadService\is-UDALV.tmp
%PROGRAM_FILES%\QuickDownloadService\is-G2A3Q.tmp
%PROGRAM_FILES%\QuickDownloadService\is-ANI9H.tmp
%PROGRAM_FILES%\QuickDownloadService\is-5VREL.tmp
<Current directory>\is-VGDCH.tmp

Deletes the following files:

Network activity:

Connects to:

TCP:

HTTP GET requests:

UDP:

Miscellaneous:

Searches for the following windows: